The present invention relates generally to data network traceback techniques, and more particularly to data network traceback using packet labeling.
Data networks, such as the Internet, are often the target of various types of attacks. One such attack is a denial of service (DoS) attack. A DoS attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. The attack may be initiated, for example, by an attacker sending a large amount of data traffic (e.g., data packets) to a particular network resource (e.g., website), thereby overloading the resource. There are tools currently available that provide the ability to easily launch a widely distributed denial of service (DDoS) attack. A DDoS attack is a type of DoS attack in which the data traffic originates from various locations, making it harder to defend against. DDoS attacks may result in large financial losses to victims of the attack.
One of the problems in defending against DDoS attacks is that the attackers use incorrect or spoofed Internet Protocol (IP) addresses in the attack data packets, thereby disguising the true origin of the attacks. Due to the stateless nature and destination-oriented routing of the Internet, it is a difficult problem to determine the true source of these spoofed IP packets. This problem is called the IP traceback problem.
Various IP traceback techniques have been proposed which allow for identification of the attack path of data packets. Identification of the attack path not only allows for after-the-fact identification of the attacker, but may also allow for the initiation of mitigation steps to end the attack if the traceback process is completed quickly. The known traceback techniques generally fall into two categories, packet marking and packet logging. Packet marking techniques mark data packets with partial path information while they traverse the network en route to their destination. The marking is performed by the routers along the path. Analysis of a sufficient number of these marked packets allows a victim of a DDoS attack to reconstruct the attack path. The packet logging technique stores packet digests (i.e., hash value of invariant portion of packet header) in routers along the path of the packets. Analysis of the packet digests in neighboring routers allows for a reconstruction of the actual attack path.
Certain characteristics are desirable in a traceback technique. First, the traceback technique should be incrementally deployable, scalable, and require minimal changes to existing equipment. Further, the technique must be accurate, both in terms of identifying the true source of an attack and not incorrectly implicating innocent network hosts. In addition, the technique should require analysis of relatively few packets in order to complete the traceback process. Finally, the technique should be resistant to tampering due to spoofed information injected by the attackers or compromised network routers. While several traceback techniques have been proposed, such techniques do not sufficiently satisfy the stated requirements.
What is needed is an improved traceback technique having the above stated characteristics.